All modern web browsers support zero-width characters. These characters may be added to text on a page without users knowing about it or being able to identify with the naked eye that text contains additional characters.
British security researcher Tom Ross described how zero-width characters can be used to add a logged in user's username to text that is copied by the user. The invisible information are included in paste jobs and all it takes then is to run checks to reveal the hidden characters.
While the method may not work at all to fingerprint a user's activity on the Internet, zero-width characters may be used to reveal the source of leaks or important leak information.
The following text excerpt includes ten zero-width characters: For example, I’ve inserted 10 zero-width spaces into this sentence, can you tell?
These characters are invisible to the eye and they may not show up either when you paste the copied text. If you paste the text into an editor with spell-checking, you will notice that spell-checking flags words that look perfectly normal.
But that can be easily avoided by adding the characters to the beginning or the end of words and not in the middle of them.
Ross published a proof of concept in which he converted the username of users to binary, a list of zero and one characters, to replicate the username using zero-width characters.
So, what can you do to detect if copied text includes zero-width characters?
You could paste the text into an editor that reveals these characters. Head over to DiffChecker and paste the text into the left text field on the site.
You will notice immediately that the site displays zero-width characters in text that you paste on the site. The text is clean if the text appears normal.
Another option that you have is to use the Chrome extension Replace zero-width characters with emojis.
The extension replaces any zero-width characters it detects on sites visited in Google Chrome with emoji when you activate it.
Just install the extension and click on its icon, and then on the "show me" button to reveal any hidden zero-width characters on the page.
You may want to activate the extension whenever you are about to copy text if you are in a situation where you don't want the pasted text be potentially be tracked back to you.
Zero-Width characters is just the latest thing that Internet users need to keep an eye on for when they are connected to the Web. (via Bleeping Computer)
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.